Privacy policy

This website privacy policy template has been designed to help website owners comply with European Union and United Kingdom data protection legislation, including the General Data Protection Regulation (GDPR).

The policy covers all the usual ground: the categories of personal data that are collected, the purposes for which that personal data may be used, the legal bases for processing, the persons to whom the personal data may be disclosed, international transfers of personal data, the security measures used to protect the personal data, individual rights and website cookies.

First published in 2008, this policy and its antecedents have been used on hundreds of thousands of websites. It was updated during 2017 and 2018 to reflect the GDPR and the developing regulatory guidance from the EU and UK data protection authorities. This template was last updated on 25 April 2018.

If you're new to data protection law, then before downloading the policy you might want to review the questions and answers below, which provide a introduction to both the legal and practical issues around the use of privacy policies.

*If you use this free privacy policy, please retain the attribution / credit for SEQ Legal. If you purchase the policy via this link, you will get a copy of the policy without the credit / attribution.

Why do I need a privacy policy?

The law probably requires that you publish a privacy policy (or similar document) on your website.

Ask yourself this: do I collect or use personal data for non-personal / non-household activities in relation to my website?

If you do, EU and UK data protection law require that you provide information to individuals about how you use their data. The usual way of providing that information is via a privacy policy.

The key pieces of legislation include the GDPR and, in the UK, the Data Protection Act 2018. But these legislative requirements are not the only considerations in play. There are at least three other reasons to publish a privacy policy on your website.

First, your contracts with services providers may require that you publish an appropriate privacy policy. For example, the Google Analytics terms and conditions require that you "have and abide by an appropriate Privacy Policy ... You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data."

Second, a clear and open privacy policy will help you to build trust with some of your users. Users may refuse to register with a website if they aren't confident that their personal data will be protected. Just as bad, they may provide unreliable information when doing so.

Third, one of the key functions of many websites is the projection of a serious and professional image. A website without the necessary legal documentation may have a negative effect on the image of the business behind it.

This website privacy policy template has been drafted with all of these goals in mind, although the legal compliance requirements are overriding.

Should I use a template or ask a lawyer to prepare a policy for me?

Data protection law is not straightforward. Indeed, since the coming into force of the GDPR, it is difficult for many organisations to be confident that they comply.

Ideally, all privacy policies would be prepared by, or under the supervision of, experts in data protection law. But data protection expertise can be expensive: you might pay anything from £500 to £5,000 or more for a UK data protection lawyer to prepare a privacy policy.

As with many business investments in legal services, you will need to balance the risks of a DIY approach against the costs of using a professional. In general, you should always use a professional if there are significant amounts of money at stake or material risks of liability.

Is this the right template privacy policy for me?

A legal template is both never and always potentially suitable for a particular job. Never suitable because adaptation is always needed; always potentially suitable because, with enough adaptation, one document can be transformed into any other document.

That said, some jobs will require more adaptation than others, and sometimes the adaptations will require specialist legal knowledge.

You should only use this template in relation to the following purposes if you are confident that you can make the necessary adaptations:

the personal data of minors;

sensitive personal data / special categories of personal data;

large-scale processing of personal data;

any complex or unusual personal data processing; and

any personal data processing that is likely to have a significant impact on individuals' rights and freedoms.

What information should I provide in my privacy policy?

The core disclosures required by the GDPR are set out in Articles 13 and 14.

Article 13 sets out the information that must be provided where personal data are collected from the individual. Article 14 sets out the information that must be provided where personal data are collected from some other source.

The main categories of information are:

identity and contact information of the controller;

where personal data is not collected from the individual, the source and nature of that data;

the purposes of the processing;

the legal bases for the processing, including details of applicable legitimate interests;

the recipients or categories of recipients of the personal data;

details of international transfers of personal data that require legal protections, and details of those protections;

the periods for which the personal data will be stored, or at least the criteria used to determine those periods;

individuals' legal rights with respect to their personal data;

whether the provision of personal data is a legal requirement;

the existence of automated decision-making, including profiling.

Our privacy policy template has been designed to help you to disclose the necessary information.

Should information about cookies be included in the privacy policy or elsewhere?

There's a degree of overlap between the laws relating to cookies and those relating to the processing of personal data: cookies may themselves contain personal data; and even where cookies don't themselves contain personal data, the reading of cookies will often result in the linking of cookie data to other personal data held by the operator.

Because of this overlap, it is common to include cookie disclosures in a privacy policy, and this template does include relevant disclosures – although not in so much detail as in our premium privacy and cookie policy templates.

The key legal instruments currently applicable to cookies are:

across the EU, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); and

The latter is the UK's implementing legislation for the former. The consolidated version of the UK regulations is not available on the legislation.gov.uk website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.

New legislation on cookies is currently going through the EU legislative process, but this is not expected to become law until 2020 at the earliest.

In addition to the information disclosure requirements, you may need to get user consent to cookies. This privacy policy template includes an optional statement to the effect that users consent to the use of cookies. However, this will not alone satisfy the cookies consent requirement under the cookie laws.

How do I edit the privacy policy?

After you have downloaded the policy, you will need to open it in your word processing software for editing.

The first thing you should decide is how to categorise the personal data that you process. Your categorisation should reflect how data is handled in practice. For example, you might differentiate between analytics data, enquiry data, customer relationship data and transaction data. The template privacy policy includes a suggested categorisation.

With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and - this is often the hard bit - the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.

You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.

Guidance notes are included in the template to help with the editing process.

After editing, you should add the privacy policy text to your website, either via your content management system or directly after converting it to HTML.

Why is your privacy policy is longer / more complicated than some other policy templates?

This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.

Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn't be needed. In many cases, the guidance either overreaches or dodges the difficult issues.

Another reason for the length of our templates is that … they are templates. They are intended to be edited before use, and it is much easier to delete unwanted provisions from a template than to add novel provisions. After you have finished editing our template, it should be materially shorter than when you started.

If you do plan to use a simpler template from another website, you should take care to ensure that it covers all the necessary ground. If you can create a privacy policy from a template in a few minutes, there may well be something wrong with the template.

What other privacy and cookies documents are available?

We supply a range of privacy and cookie documents on our ecommerce websites, Website Contracts and Docular.

Title

Description

Get the document on...

Cookies policy

A simple policy covering cookies disclosures.

Privacy policy

A short-form privacy policy for data protection disclosures, identical to this policy except that it omits the SEQ Legal credit.

Privacy and cookies policy

A document combining the provisions of our privacy policy and cookies policy.

Do I also need a data protection or GDPR policy?

"Privacy policy" is not a term of art.

Documents with the same function will sometimes be called "privacy notices", "data protection statements", "personal data processing policies", "GDPR policies" - or something different entirely.

Worse, there is a different type of document that shares the same pool of possible names.

Whilst our free privacy policy is concerned with the disclosure of information about personal data handling, this other type of document is concerned with specifying the policies and procedures that regulate how employees and non-employed personnel conduct themselves in relation to personal data handled by the organisation. This other type of document will typically form part of a staff handbook and/or the set of policies provided to freelances and other subcontractors engaged by the organisation to provide services.

I usually refer to this other type of document as a "data protection policy" – but don't assume that other professionals will do so.

In most cases, you will want to keep these documents separate.

Do I need a data processing agreement?

A privacy policy is concerned with an organisation's role as a controller of personal data; whereas a data processing agreement is concerned with an organisation's role as a processor of personal data.

This distinction can be confusing and tricky to apply.

Both controllers and processors process personal data. Just because you are processing personal data, that doesn’t make you a processor. You might be a processor, but equally, you might be a controller. Confused yet?

The distinction is tricky to apply because the definitions are highly abstract. A controller is defined as a person who determines the purposes and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. In practice, the determination of purposes is more significant than the determination of means.

An example might help. A business providing website hosting services would usually be a processor with respect to personal data contained in the website databases of its customers. It would, however, usually be a controller with respect to personal data contained in its customer relationship management system. For some classes of data – for example, data collected when providing support services to customers – the correct classification may not be clear.

In any case, if you are a processor, then the GDPR requires that you enter into a specific set of contractual clauses with your controller. A data processing agreement is a document that contains those clauses, sometimes elaborating and/or supplementing them. Processors should not produce privacy policies with respect to that data because the production of a privacy policy is the responsibility of the controller.

Summary of free document licensing terms

By downloading a free legal document available on this website, you accept and agree to our terms and conditions. The main terms of the licence in the terms and conditions are as follows.

Unless you have paid for the right to use the relevant document without the included credit (attribution) text, you must retain the credit in the free legal document.

Subject to this point, you may edit and amend the documents to render them suitable for your purposes.

You must not sell or re-distribute the free legal documents or derivatives thereof.

We give no warranties or representations concerning the free legal documents, and accept no liability in relation to the use of the free legal documents.

Comments

Hi, I went through your suggested documents, however, there are quite a few things that are unclear there for a non-expert like myself. Are there any explanatory notes for these doucments at all? For example, in Website Terms & Conditions par. 6.1 specifies that a visitor should be a resident in the UK whereas my website is targetting other countries in the EU so how is this relevant to anyone who is a resident in other such countries? Par. 19.2 gives you a choice between "exclusive" and "non-exclusive". What is the difference and which option to choose? The Privacy Policy doc is full of the unclear choices and "specify basis" "identify URL" and "sources" to fill in.... Could you explain perhaps how to fill in these as I have no idea what basis or sources I should quote.... :-( Thanks so much in advance!

If you click on the little notes / document icons in Docular, then notes corresponding to the relevant provisions will appear in the right-hand column.

The templates tend to include lots of optional / removable provisions, because it is easier to remove an unwanted clause than to write a missing one. The residency clause in the T&Cs can for most websites be removed.

Regarding exclusive / non-exclusive jurisdiction: the former should be used where you want ONLY the identified courts to adjudicate disputes; the latter where you want the identified courts PLUS any others who may have jurisdiction under the applicable rules of private international law. Even where you choose exclusive jurisdictions, the courts in a different country may sometimes ignore this (e.g. to apply their own consumer protection law).

I'm just reading through the document I bought yesterday and it says it's for England and Wales. I thought it was for the UK (all included) and just wondered if it's ok to use them for Northern Ireland as that's where my business is based....?! All this is such a headache and I thought I found the perfect solution when I was recommended your site yesterday ... :)

While Northern Ireland does have a distinct legal system from England (see https://en.wikipedia.org/wiki/Northern_Ireland_law), the legal rules that affect the T&Cs and privacy policy are largely EU rules or UK-wide rules. For instance, the data protection rules that regulate privacy notices are contained in the GDPR (an EU instrument) and the Data Protection Act 2018 (a UK-wide instrument). There may be relevant differences - e.g. in the principles of contract law - but I would be surprised if any differences had a significant impact on the text of the documents. However, I have not studied NI law and if you want a more certain answer to this question you should consult a NI qualified lawyer.

I am creating a website that is based on my hobby. There are no commercial aspects to it; I do not sell anything and neither do I provide any chargeable services. There is no membership and/or registration requirements on my website. The website is purely me giving information about the subject for educational and/or personal interest reasons.

I do have a contact form and a comments page where people can write and upload comments to my posts, such as the one you have on this website. When I have tested the comments section on my site, and I look at the details of the comment via my website admin panel, I can see the following information about people who add comments: name (not required, they can post anonymously) and email (not required, again they can post anonymously.) Obviously, if they do provide a name and/or email address, then I can see that information in my admin panel. I am, however, provided with an IP address of the sender if they submit a comment (whether anonymously or not). Again, if somebody uses the contact form I will receive an email with their email address, and possibly name, contained within.

If you are acting as a controller within the scope of the GDPR, you will need a privacy notice of some kind; if you are not, you will not.

Art 2(2) of the GDPR provides that "This Regulation does not apply to the processing of personal data: ... by a natural person in the course of a purely personal or household activity".

The sensible / rational interpretation of this would be that communications made via personal websites about hobbies are outside the scope of the GDPR.

The guidance from the UK ICO doesn't expand much upon this:

" ... personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the GDPR."

Unfortunately, the courts have not been very helpful here. In the Buivids case, the CJEU found that an individual posting a YouTube video could be subject to controller obligations (including the obligation to provide privacy notices). See:

On balance, you are more likely than not to be outside the GDPR's scope, and it is very probably a very low risk to not publish a privacy policy on this type of site, but we cannot be 100% sure how the courts - or data protection regulatory authorities - would approach the issue.

NB If you started making any money from the site (eg via affiliate links) then you would likely fall within the GDPR.

Even if you are only dealing with other businesses, you will still be handling personal data. For example: the personal data of supplier and customer personnel, the personal data of employees and subcontractors, and the personal data of persons on your marketing lists. Wherever you are handling personal data, the GDPR will apply (subject to jurisdictional limitations).

You could either try to cover all the personal data that you handle (as a controller) under one privacy policy, or create different policies for different classes of data subject. Larger business may have many different privacy policies; smaller business may have few or one (or, quite commonly, none at all...).

Hi, I have my personal website where I write novels, stories and rhymes etc. I publish those link to my facebook account and people visits my site to read my writings. I don't use any kind of Ad in my site. Only issue is I have a contact form where visitors can put their name, e-mail address and messages. That's how sometimes I get some of the visitors e-mail address.

The obligation to publish a privacy notice in the context of personal data collection will not apply in relation to processing "by a natural person in the course of a purely personal or household activity" (Reg 2(2)(c) GDPR). Your website might well fall within this exception - although NB the European courts seem to be interpreting it narrowly.

As regards a disclaimer, you probably have no obligation under UK law to publish the information that is typically included in a disclaimer, as the website is non-commercial. However, if there are any risks relating to the use of the information published on the website (eg health information or exercise information) then it might be a good idea to publish a disclaimer nonetheless.

Hi, I'm starting up a new business so at the moment I'll be a sole trader, planning of becoming a limited company in a year or so. (I'm already running another business as sole trader "Cooking Tutor"). With this new venture, I will provide accomodation (reserved hotel's rooms), transports (hired company that will supply their service) and guided tour (with a licenced guide). I will no providing flights. Would you be able to tell me if this template would be fine for me and what section I will not need if any? I'll be collecting data like names, emails, addresses, phone number, for communication with those people. I will also need to give their data to the italian autority, when in Italy, for the purpose of paying city taxes.

Hi Fulvia - Even if you were in the UK, I wouldn't be able to provide this kind of assistance, unless you became a client of my law firm. Templates always need to be adapted for the circumstances in which they are used. You should consult an Italian IT/privacy lawyer about this.

... for the mistaken assumption. My general point still stands, however: whilst a template privacy policy can highlight the main categories of information that a business will need to disclose, it is always possible that due to some particular circumstances it does not highlight all categories. This document is a general website template, and doesn't for example contain disclosures that are specific to tour operators.